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(57)Abstract: 

PROBLEM TO BE SOLVED: To provide an integrated 
policy implementation service for a communication 
network where user authentication is integrated with 
QoS provision. 

SOLUTION: This integrated policy implementation 
service includes a data communication switch 
connected to one or more policy servers. The switch 
transmits requests for user and device information to 
end devices connected to a network. The devices 
respond by transmitting responses including the user 
and device information to the switch. The switch 
transmits the user and device information to the one 
or more policy servers for user authentication and QoS 
provision. The one or more policy servers respond by ^ 
transmitting authentication information and QoS information to the switch. The 
switch uses the authentication information to determine whether to enable a 
network interface used by the user to communicate with the network. 
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f> Sfi U V*- :7 a - icmm $ S 1^- tf ;^ n"n W^m 

h C7 — >r V — 7 31 — ;^ i: , 

:7 n — i: i^^lcifrt^tu^ — :7 31 — ;^ ^ , 

r7_>^ y y->^<^) y i> Sr-^tj^^^^ 1 8 \z.mm<oy'— 
m X.Tz.t'-^ y n - tciiJl $ fh^ 1*;^ fD®^3@<£r^ 



*^2 2{c|5«0^ifep 

6;^7^y>^^^p>t:i-&tfff&*^2 2 iciE«(o:fyjfep 
^^-r ;^7j>^^^fi i.tcy'-^ :7 ur-y— t-^faM 
2 \zmm(7):^^, 

im^m2 7] si^^^mmmmK n-^^titz^^ h 

v—^ y y—y^(r>]}^ h^-&tfi**^2 2(c:|s«(d;^ 
[fi^^2 9] ^-(Z)/:Kyi/-i^-^^^-y-7K-h-r-5 

^ 1 K t 2 o<7DjK y y— ^^$:-y-2K- k-tsb 
2 2 lc|B«<D;fy& 

[le*:^ 3 0 1 mn7'^<^:^^ mi(o^') V— y— y< 
*5i:t^B2co;Ky y— ^^iriift-r^;^^ :y^$r^tf 

-ft. 
t. 

t5 2 07Ky y— /^ir^2 0fijffli:7n— em«oit« 

CD||2C0^5^^a^^tUT. B2c7)7Ky ^>'— y-w^;a>^ii 
^1 <?5^Jta?:7u«-;65, l|2O0J|^:7u-i:I^B#t;ifT*::>n 

[if 3 1] is^oit^ds. ^-^mm^xxfy'^< 
^ :^mm^^t^m^^ 3 0 tcfs«co^fe, 

[fg^3l 3 2 ] ^-if^iEW^tc:/;^^ ur . ^ ?/ h !7 

[18^313 3] '^-\f:^ffanmm\cjt^^vx. mti^T' 

0 {r|B«o^ifeo 
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[000 1] 

h^—^i^mi^. x^^m\at. ^—^mm:3rsxxj^ 

1^— *l^^ifiilIJi# (provisioning) S:^— 
[0 0 0 2] 

[000 3] h!7— ^(7?-<>'7^y-:;^in:^j:^Srii!iie)5 
Sfjcoi^-t*;^ji. i^-tr;^^?,® (qos) $i^-cfc5o 

(first — in— time packet del 
ivery) SrJi#t UTV^y5:;^^ J; •91^^fbV^^^&3l54^ y h 

— >^ n — tc^f U TM/.e S Q o S ^Ji^ L r V ^ 5o 
[0004] QoSf*, hr7 — i;^±t?^ibn57n 

[0 0 0 5] if^SEi^— bf;^:^J:t;5Qo s^i^i^— 

\^y^\%^ X^-C>'rVi^:r.>hfj::^y hy-i^^iP^ 

(e f f o r t) <Dmmisxrj^!$^^^^j:mmr^s ^ 



[0 0 0 6] 

tt-g-TK y i^-^jfef — ifys So 

[0 0 0 7] 

hy-^-o-^-yzi^-y^^^t^o ^-ifW^f*. 

— h>^n h=i/U (I P) r Kl^^> iSXXfiRmLA 
N (VLAN) !aS'J^^.CiroWir2ffif«*5J:tF/*yi:: 

[0 0 0 8] X— ^iift^^^^^ti. WS-fi^i^ — 

^^wm-f >^-y :^-y^^t^o mmmmi-t. ack 

/NACK^?^ (indicator) *3 J:TJ^/':t /cf* 

[0 0 0 9] ^-miE 
7kif<D^ioK^-r/<t>^tfo ^f>(c, m^\^. Qos 

So 

[0 0 10] >^m^(D^^]<Dmmxa. y'-^mmy^y 

^fi. 2 oc^^AtiTK y y<Sr^^ UTJglK^^K y 

iFif 1 <Dmmy^-xm kd^v y— 
y^icj^u. ro^i(D/i^y "jy— y— 

y^^tso :i(DWm^>'^—y:i:-—yn. ^Fbtc, ^{f 
i.it'ry^^-f ymm%:m 2 (Dmmy n--cm 2 (d^k y 
•y— y^icii^u. :iofi2<D7Ky v'—' y— ^<:d^b^2<^ 

y\:2-i6x.xj^m2<Dmmy^—i^. ^*u<(:i. Mj^otci 

frtJtiSo y*SSlffiEi:QoSji#0'?:0<t5?'j:M^i* 

m^. ^^^^m^c^^^^x^&'T^mi^kit^titi^v iy— 

[0011] 
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>^$^1^JK-^i-silm^y Hr7-:jrcD«iii»iii-t?feSo r 

f^^-f^^lGa. 16 b. 1 6 ciC^e-^^^xfcT^— i^ii 

— t^— 2. joJ:TJ«7^/W;^2 4 a. 2 4 b. 24 c 
[0 0 12] T^/M^l 6. 2 4{^. ^^b<fl. 7=^- 

7'—^mm:^^y'f'l 0. 1 Slc^liEf— if;^i3J:t;!Q 
o s*i#t-9— K-^^H^i-^o v='y^'-r ;^ 1 6 . 2 4. ^ 
— ^iift^>< 5/^1 0. 1 8. *5J:Uf>i^y ^-^1 

2. 14. 2 2f±. ^-•:f/i^^it\±m<o^mmi^^ift'i^ 

-^:^y V {.mmmm . h>^D 
*5J:0^^{^«9tei^^-K (ATM) i^^f^^- 

10 0 13] ^K-a-^Ky v^-^lfe-y— f>^f:i. "f-^mt 
>^>f 5/^1 Oj3j:Ot7Ky ix-i^w^l 2. 14tcMiSb 
r-il9:6^J{cm^i-6o 7^-^ilft;^^:y^l Of^. 
\^<\%. ^y yv—^\zJmm.^}^tzrf^^^:^ 1 p\c^— 

/<^^16fi. ^*L<f±. y^lO\z=^—^mm. 

:^^y^l 0 fi. ^*U<f^. lFi?liE 

-f ;^if#^^y "S^'-f— ^<i 2. 1 4tc3iift-rSo >J^y 

i^-i^— ^-^l 2. 1 4ti. »*L<«:. ^liElfa*5j:t/ 

Q o s^m^y^^ y^i oti^lti-^w ^(-ioTf£:i^ 

\zmm^ti^^y hr^-^-(>^-y:r.—y^^mm'^m 

:7rc-j^^^^Rr^jc-r5¥iJ^*sfTt>ixSISt). y^>(y 
(D^s^ y^±.XQoS^m^^^o »:l-> rOQoS 



Vyy^ yi^\zmm^fiXs :^y VVf—^ t<Dmmf)>'<r 

[0 0 14] i^^m<o—^mmm\^x,fh\^. jgft^TKy 

5^1 o*5J:TJ57Ky->— ^'^l 2. 14(Cj:oT^J^^ 
2fi. 2o(0/i<y i/—- /<i 2. 14 C^Hi^— ^^:}o 

umfj^mmmxh^o "r—^mm^^-fy^ion, 

^^<y.3 S\zX'oXV >^i^tif^. ^y hV—!^^i^^ 
^ynL^y.30, 3 1. 3 2. 3 4. jo<J:t/t3®^>'i5^ 

— :7 3i— ;^3 h!7— ^-f :7 3i— ;^ 

3 0. 3 1. 3 2. 3 4(1. ^-^rJ^jr^Ti^^— :7:c— 
^L^X. fy<^y^ 1 6. ^^i/^^'jK— h^—:^ 2 o 
5/^=-. ^oj:u«jj<y V— /-^i 2. i4Sr=f=a5: 

[0 0 15] WS>r:/i5^— ^'^^i — :^3 6ioJ:tFJ^>;/ h!7 
'-^^>^ — y=^--y^3 0. 3 1. 3 2. 3 4{i. X— 

;^3 8^c^'g'$Hrv^5o «^3®>r — y'rn— ;^ 
3 6ioJ:UJ;t^5/ by— — :7a.— ;^3 0. 3 1. 
3 2. 3 4«t. »*U<Ji. MiEiS#*5J:t;5Qo 

[0 0 16] »3S-r^^>5^->'=i-;^3 6(i. St-g-TKy V 
— i;?-^4 0. tK— h K7'-r/<4 2. iScttKQoS 

m^^VZ^-"^^—:^^4 0s jK— h K7>r-'^4 2. *5 

j:a^Qo s K^-r/>*4 4fi:. ^*b<fi. yyh^:x:r 

So 

[0 0 17] ii^w^(o-%mm\^^^\t. f—^mm 

— hfSo ^-^^Ky :;^-Y4 0:65. f^3gx<cx4 

[0 0 18] f^^A y^ 1 efi. i5^y^>^3 8$::^UT 

tt. 0g;trf. MACTKu^. iPTKi-';^. vlan 

!lSU^7^ct<!f<7). u-Yir 2lW^:JoJ:tP/'*fcf*u^ir3lt 
^^^tfo fc^cU ^cOj;5?:t7^^'<><;^1f^copt>coi 
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[0 0 191 ^—-^mm^^^iy h:i^xxj^v'^<-f:^mmy^ 

[0 0 2 01 ^2C0^J^a|):7n— -C. j^-^JJ^ P i/— "V^— 
S^^-Y 4 0 ti. ^ft X.fzy'^^^ 2 0>K y 

-f;^(-gi-rsQo sjf^SrrcoQo sf-wN^;e)^^§^t-r 

[0 0 2 11 mi ^^^0^^:7r2-ib^J;t/^2^D^J^>'t2- 
[00 2 21 msa. mw^^-y^ 1 2 f^(c:lBli^4xfc^ 

fe5o ^lE-r— ://V5 Oft. -^J^f^. Nove 1 1, I 
nc. d^ibmfig^ttSNe tWa r e (^^ib^:^) /^<!f 

J-^tPo "r->^/w5 0Ol^^o:nvhy(t, -B^Jx-t^. a 
SIJ##. ^fc»*#-^ (numb e r) ^::JC#=COai 

J^. »f^<;^!7— K5 4;^^ifco^— 1f^^^^tp:i<»: 



[0 0231 ^i^E■^^— l 2 tt, ^if * U< igllET^— 
5 0 ^Hl^fl^m 6 0 7 0 2 4 3 -^(CfS^ 

tC>^ffi^tL6:5^n h=3/VlCJi. RADIUS. LDAP 
(Lightweight Directory Ac 
cess Protocol) ^ COPS (Co mm o 
n Open Policy Service), 

[0 0 2 41 fcfcL. 0 

^I^Ei^-y•< 1 2 Jt. ^o^-i?'rait^(ci9jS 
\.xmht^<Dnmnmtmm'^mt^i£ 5 ^^srwj^i-s r 

^::2.^^^m-^^tix\^^^^t^mmL^tcm'^. ^j^u 

<tt, ACKli;^*5J:Oi/^yhtt^-1f;65ffpr$tLTVN 
1 otci^lt-rSo ^liEi^-/^i 2 ft. y y-;^co 

4 0 tt. ^Kitjput^ 5 6 \c^^\^xmmm^m^ 

[0 0 2 51 1^14 ft. Qo S1h— /^l 4 P^{Cf2tt ^ t^fc 
Qo Sx— :^/^6 O(D0y«!: LT<^)Mlll&l^^ T !^ bgl-Cfe 

So Qo St^— ://P6 Oft. »*L<ft. — a<:o:7r3 — 

^{4^6 2. ^SctTJ^^tt^c^^y'n— |fe#<D^n-ietLf;i— ^ 
-rSQo S^CiSe 4^-^tPp >'C2— ^#6 2tCft. MA 
CTKW>^. IPTKU-;^. VLANfiKSU^F, ^^n^yh 
/'jK— hfl^gij^. I P>^n ^ViJ^ — :7 a:— ;^i5^ 

-r7^?:e^^;^5-^*^^5w^;^5■s^|g•c&So QoS^S64 
ft. ^f^5^j:< i:t>«*WMffii^^/WSr4t3tL. ^(OU-^yHt 

^:^ro Qos*!i^6 4tt. ^^fc, m^^m^. 
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[0 0 2 6] v'y<^::^^^h^it\^fch9y-^yi!!'\^mi^ 

y<i Aicmm-r^o y'^^^:^mm^^m'r^t. qos 

Qo S^m^y'—^T^i^:^^ ^y^l Oizm-To QoS^ 
3 8 f>^P^m ^^Jn^tixm^^ V i^—^^—i^^ 

sv9^y^4 4\cm^^^o :^^m<D-mmmm\^xti 

7^— ^jlft>^-r >>^l on. 2 0 0 0^9^130 
mJP<?5 roN-SWI TCH POLICY RULE 
CACHING FOR DATA COMMUNI 

CATION swiTCHj t\^^ ^ ^^(Dmmxm^ 

[0 0 2 7] laSf*. 2O07Ky i^— 1^— 2. 14 

bSft-t*^. ^"r^Zf? 4:}oXV^7 6\cX-:>X7T:^n^ 

mi<Dmmy^-x. m^^viy-"^^-i^^ 4 0 7(iK 

[0 0 2 8] ;^xiy>^7 843J:t/8 Otcj:or^$^x$ 

|^2CD^J»:7n~-e, ^-a-^y ?;t^-i;?^4 Ofi. 

f 5Qo siff^^];^;;^^ LT^ft-rSo mi<ommy^ 
—:$sxxj^m2<ommy^-\'^. ^*L<ii. ^^ij-ctrt? 

[0 0 2 9] ;=^X5/>^8 2-es 1f miiE;d5^5b Ufc;5>> 

•^v iK-^sJ^y V-'^J*i-v^-\'4 0:dS. »^L<Jis 
h K^-r^^4 2*5j;OfQo S K^-r/^4 4^^ibLT. 

[0 0 3 0] :^mm(Drtmmmmm\cxti\'i. m^n<v 



ste-g-jj^y i:^— !^->^S:-&^po men. r<o¥— ^^^yix— 

/^2 2 m'^yf^Viy'-^-y<th^^) ^^LTj^ 

^1S\^^ 1 0 OtCiory >'^^;h.fc. ^ 

5/ hi? — iJ^-r>^^-:7ai— >^9 0, 9 2. 9 4. 9 6. 

— :7ni — ;^9 0. 9 2. 9 4. 9 6n.m^^^^ 

:^^—y:i^—:^^^\^x. 7^/M;^2 4. /^y^/i^— 

2 ^I^S^J^I-^o 

[0 0 3 1] l^S^:^^ — — ;^9 SioiU^;!;^' 
— ^'T^'^ — :7 3i— ;:^9 0> 9 2. 9 4. 9 6 7=^— 

0 0icm'^^tiX\^^^o l^S-r>'^-:7a.— 

^9 8*3j:Uf-:t^5' H7 — — :7in— >^9 0. 9 
2. 94. 9 6J*. MliE*5<tUJQo Slt^^^A/fclfS 
1f^^i^«*5j:U?S«-r5yS:*!>lc. gS^^;^ 1 0 2{c^ 

[0 0 3 2] *sm^>'i^—y^—^9s\^. m'^^])-> 

— v^-r 10 4. tH— h K^-Y-^^ 10 6. ioJ:t/Q 
oS yy-fy^l 08Sr"g'tf«>«r?'^^v^^-/^$^-y-2jf— h 

i-^o >i^y v-^-^^^-i^^ 1 0 4. hK^-r^^io 

6. *5j;U5Qo S K^>r^<l 0 8fi. »*L<f±. y:7 

iHii^) . $sxxfy^tiyiyyh^:^r<omy^^t»^Xs 

tr>x^^o 

[0 0 3 3] :^^m<D~mmMm\^xti\'s:. v'-^mm 
:^^y^isn. r^(D:^^xm^^ V t^-mm^"^^ 
-h-rso i^-a^^y v'— 1 0 4j^. ^^L< 

fi. f=S^<:^i 0 2S::ft-LTT'^^>f;^2 4lc. ^— iftif 

[0 0 3 4] y'^'^-r 2 4 ti. y"—^/^:^ 1 0 O^^/hU 

r^£;;^-r6o ^--ifit^ti. ^*L<f:i. '^Jx.i^. 

1^1 D/^^0^-ifmS'm«"^. ^J;tt^> 

0U;tf^. MACTKi/;^. I PTKu-;^. {Ki^LA 
NgiSiJ^7:j:^(7). u-<-^2lf^:i3j:U?/^fctiu^-^3 

lo^fcfi^l^ott^ («?yx.f^. MACTKw;^) 1^. 
a^m7ci^S^:^L-C7^-^3im;^><5/^i stciEtc^^b 

^X\X^ ^^tvri/^ST^/^-Y^^T Kl^^ti. X — iJ'iSft 
[0 0 3 5] 3L-ifjtay>?-ir5/ h*5j:t/7^/<-r;^1f«>'^ 
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:^10 O^^b^Of^^tt. m^:^V 1 0 

y^y<^ {ZM L^xm^ ^ n-S Q o S ^I^SUi-^ ^ 
t)^>>^^So wtllrggL, ^-^Tjfy i^-- 1 04 

ACK/NACKSfS, fF"5T^tvfc$|55>(^y 
[00 3 61 121 7 fi, ^-a^sK y 2 2 f^iCiaiS 

r^hmx^^o ^UT—zf/ui 1 on. mx.\i:. no 

veil. Inc. :d^brfT|S$tU^Ne tWa r e (S 

-g^iijtf^. mmm^. x^. (numb 

er) tX^(Dm^'^t>^:^J:^X:h^m^<Dzr^'^mn 

- (;:*f-r 5 r -fe: ;^ 5 »F<£r??femi- 5 

^^tf:i^;i5-t»t So mi^(DhMzmx.X. ^^co^i^- 

t)tffojy y^^^^l 1 g^^t^r ^;^>s-T?t6o ^F^tJ 
PHt«Ji. »*U<fi. tf;a5^0ffi> 

So 

[0 0 3 7] 0 8fi. -^YX^^m^^V 
IClHIt^lxfcQo S-r— 2 0<7)^?il,^ l.X(Dm^l' 
^T^ hmxh^o Qo S'T— 2 Oti:. S^*U< 
fi. — m^^:7n«-^#i 2 2. *3J:Uf-?:tte>co>^n— ^ 
^CO^tL^^XlC-7>y^-rSQ o S^Sl 2 4^-g'tPo :7 
^^4^1 2 2tC(i, ^if^U<f*, MACTKU;^. I 

*ix5o Q o s ^3® 1 2 4 ^>/j: < t hm^m&i 



y iJ^ l;i^x. f?ixSM5felil^^^-ro Q o s i^m 12 4 

$p>(c. «:fc^«c«. md-^mm. }f-^mmms 
n^nmy< vyr if ^^-r r h ii^x^ So 

[0 0 3 8] *^iigo-|liife?^ffi(;iJ:tb(i. ^Wr-^ 

/HI 0:i3i:T/Qo St"— 2 0 Ji. j^-^^Ky 
f"w^2 2(Cj:oT7jx;^ h^ne lo^fcJim^cOv^— 

[0 0 3 9] ^-^xK y 2 2 . $f * U < fl. 

l&liET^-://!^ 110 ^^J^ 3KS#fF^ 6 0 7 0 2 4 
3-^(cfB«$tT.5*r^T^-1fS:^IE-rSo r<7)iRff|=0 

mm(Dtz.ii^ic^m^ti^':^^ h='Mcn. rad i u 

S. LDAP (Lightweight Direct 
ory Access Protocol) > COPS 
(Co mm on Open Policy Servi 

c e) , ^fz\±m^mx^p:>n^m<r>ii:M<Dw^uy^ h 

>--f-w^2 2(l. ^f^iC. Qo S7^->^/Ul 2 O^ffJ 

^f*L<f;i. LDAP*fcfiCOPS-e3t)So 
[0 0 4 0] —m^. y'—i$f7Mm:^-fiy'f-tSi!)^^^— 

-"^—y<2 2(om<o^ 0^\^<n^ m—(Dmmyn-- 
X. ^mmm^xxj^Qosmm^A^-r^^tict^ii^ 

n. S:ftUTt^-1ff»SiJ<t«*3cfcU5^-if5*it«$r^ 

iIE7^-://H 1 OF*9{c|2lt$:h.rv>5tf^i:it^i-Sc. 

^cr)aL^if;05?«^$tbfc^^. j^-g^^ y V— i^ w< 2 2 

[0 04 1] gs^TK y 22n. $ e>(c, ^ft 

u^tv^'^^-Y :^mmicm-3\^^xmm-^mfj:Q o s ^ensu-r 
sr t);5^d>5o zti\z.m\^x. m^^v->—^— 
2 2 tt. :7 D -^{tSrSI^S'J S Q o s ^3S^ 

M-f-ctpt-Qo St^— :://H 2 O^SrM^-TSo 

[0 0 4 2] m'^:^Vi^-^-^<2 2n. 

>y h'P—^ V y—:^(DWf^^tlti^—'^X:h^Zt. 

-r^co^^—^tm-^^tixi^^^ r t ^mm i^itm^. 
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1, Title of Invention 

INTEGRATED POLICY IMPLEMENTATION SERVICE 
FOR COMMUNICATION NETWORK 

2. Claims 

1 . A data conanunlcation switch in a communication network 
including an end device and one or more policy servers, the data 
communication switch for use in an integrated policy 
implementation service for the network, . the data communication 
switch comprising: 

means . for transmitting to the end device a request for a 
plurality of information; 

means for .receiving from the end device the requested 
plurality of information; 

means for concurrently transmitting to the. one or more 
policy servers the received plurality of information; and 

means for concurrently receiving from the one or more 
policy servers user authentication and quality of service 
information, the user authentication and quality of service 
information being based on the transmitted plurality of 
information . 

2 . The data communication switch of claim 1, wherein the 
pluralily of information includes user and device information. 

3. The data communication switch of claim 1, wherein the 
switch is in communication with one policy server, the one 
policy server including: 

means. for retrieving the user authentication information; 

and 

means for retrieving the quality of service information. 

4. The data communication switch of claim 1, wherein the 
.switch is in coinmunication with two policy servers, .the first 
policy server including means for retrieving the user 
authentication information and the second policy server 
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including means for retrieving the quality of service 
information. 

5. The data . coininuni cation switch of claim 1 further 
comprising means for transitioning a network resource from an 
unauthenticated to an authenticated state in response to the 
user authentication information. 

6. The data communication switch of claim 1 further 
comprising means for implementing a quality of service on the 
switch in response to the quality of service information for 
data flows received from the end device. 

7. The data communication switch of claim 1, wherein the 
user authentication information includes a list of authorized 
network resources. 

8. The data communication switch of claim 1, wherein the 
quality of service information includes a quality of service 
action to be applied to data flows received from the end device. 

9. The data communication switch of claim 1 further 
comprising : 

a first mode for supporting a single policy server; 
a second mode for supporting two policy servers; and 
means for selecting between the first mode and the second 

mode . 

10. A data communication switch in a communication network 
includinq an end device and a policy server, the data 
communication switch for use in an integrated policy 
implementation service for the network, the data communication 
switch comprising: 
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d first network interface transmitting to the end device 
a request for a plurality of information and receiving from the 
end device .the' requested plurality of information; 

a management interface coupled to the first network 
interface, the management interface transmitting the received 
plurality of information to the policy server and the policy 
server retrieving . user authentication and quality of service 
information in response to the plurality of information and 
concurrently communicating the retrieved user authentication and 
quality of .service information to the management interface; 

a first. driver coupled to the management interface, the 
first driver transitioning a network resource from an 
unauthent icated to an authenticated state in response to the 
user authentication information; and 

a second driver coupled to the management, interface, the 
second driver implementing a quality of service on . the switch 
for data flows received from the end device in response to the 
quality of service Information. 

11. The data communication switch of claim 10, wherein the 
plurality of information includes user and device information. 

12. The data communication switch of claim 10, wherein the 
user . authentication ..information Includes a list of authorized 
network resources. 

.13. The data communication switch of claim 10, wherein the 
quality. of service information includes a quality of ..service 
action to be applied . to data flows received from end device. 

14 . A data communication switch in a communication network 
including an end device and a policy server, .the data 
communication switch for use in an integrated policy 
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implementation . service .for the network/ the data communication 
switch comprising: 

a first network interface . transmitting to the end device 
a .request for a plurality of information and receiving from the 
end device the requested plurality of information; 

a management interface coupled to the first network 
interface, the management, interface transmitting the received 
plurality of information to the policy server in a single 
control flow and receiving user authentication and quality of 
service information from the policy server in the control flow; 

a first driver coupled to the management interface, the 
first driver transitioning .a network resource from an 
unauthenticated to an authenticated state . in . response to the 
user authentication information; and 

a second .driver coupled to the management interface, the 
second driver implementing a quality of service on the switch 
for data flows received from the end device in response to the 
quality of service information. 

15. The data communication switch of claim 14, wherein the 
plurality of information includes user and device information. 

16. The data communication switch of claim 14, wherein the 
user authentication information includes a list of ..authorized 
network resources. 

17. The data communication switch of claim 14, wherein the 
quality of .service information includes a quality. of .service 
action to be applied to data flows received from the end device. 

.18.. .A data . communication switch in a communication network 
including an end device, a first policy server, and a second 
policy server, the data communication switch .for use in an 
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integrated policy implementation service for the network, ..the 
data . communication switch comprising: 

a first network interface transmitting to the end. device 
a request for. a plurality of information and receiving from the 
end device the requested plurality of information; 

a management interface coupled to the first network 
interface transmitting to the first policy server in a first 
control flow a first portion of the plurality of "the information 
and receiving from the first policy server in the first control 
flow user authentication information, the management interface 
further transmitting to the second policy server, in a second 
control flow a second portion of the plurality of the 
information and receiving from the second policy server in the 
second control flow a quality of service information, wherein 
the first control flow occurs concurrently with the second 
control flow; 

a first driver coupled to the management interface/ the 
first driver transitioning a network resource from . an 
unauthenticated to an authenticated state in . response to the 
user authentication information; and 

a second driver coupled to the management interface, the 
second driver implementing a quality of service on the switch 
for data flows received from the end device in response to the 
quality of service information. 

19. The data communication switch of claim 18, wherein the 
plurality of information . includes user and device information. 

20. The data communication switch of claim 18, wherein the 
user authentication information includes a list of . authorized 
network resources. 



21. The data conununicat ion" switch of claim 18; wherein the 
quality of service . information includes a quality of service 
action to be applied to data flows received on the switch. 

22. In a conununicat ion network 
including an end device and one or more policy servers, a method 
for integrated policy implementation service for the network 
comprising : 

transmitting to the. end device a request for a plurality 
of information; 

receiving from the end device the requested plurality of 
information; 

transmitting to the one or more policy servers the 
received plurality of information; and 

receiving from, the one or more policy servers user 
authentication information concurrently with quality of service 
information, the user authentication and quality of service 
information being based on, the transmitted plurality of 
information. 

23. The method of claim 22, wherein the plurality of 
information Includes -user and device ..information . 

24. The. method of claim 22 further comprising: 
retrieving the user authentication information; and 
retrieving the quality of service information. 

25. The method of claim 22 further comprising 
transitioning a network resource from an unauthenticated to an 
authenticated state in response . to the ..user authentication 
information-. 

.26. The method of claim .22 further comprising implementing 
a quality of service on the switch for data flows received from 
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the end device in response * to the quality of service 
information. 

27. The ., .method of ... claim 22, wherein the user 
authentication information .includes a list of authorized network 
resources . 

28. The method of . claim .22, wherein the quality of 
service Information includes a quality of service action to be 
applied to data flows .received on the. switch. 

29. The method of claim 22 further comprising selecting 
between a first mode supporting a .single policy server. and a 
second mode supporting two policy servers. 

30. In a communication network including a switch 
communicating with an end device, a first policy server, and a 
second policy server, a method for integrated policy 
implementation service for the network comprising: 

transmitting to the end device a request, for a plurali.ty 
of information; 

receiving from the end device the requested plurality of 
information; 

transmitting to the first policy server in a first control 
flow a first portion of the plurality of the . information and 
receiving from the first policy server in the first control flow 
user authentication information; and 

transmitting to the second policy server in a second 
control flow a second portion .of ..the plurality of the 
information and receiving from the second policy server in the 
second control flow a quality of service information; 

wherein the .first control flow occurs . concurrently with the 
second control flow. 
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31. The method of claim " 30, wherein the plurality of 
information includes user and device . information . 

.32. The method of claim 30 further comprising 
transitioning a network resource from an unauthenticated to an 
authenticated state in response to the user authentication 
information. 

33. The method of claim 30 further coirprising implementing 
a quality of service on the switch for data flows received from 
the end device in response to the quality of service 
information. 

34. The method of claim 30, wherein the user 
authentication information includes a list of authorized network 
resources . 

35. The method of claim 30, wherein. the quality of service 
information includes a quality of service action .to .be applied 
to data flows received on the switch. 



"20- 



3. Detailed Description of Invention 

FIELD OF THE INVENTION 

The present, .invention relates generally to data 
communication networks, and more particularly, data 
communication networks integrating user authentication and 
quality of service provisioning into a. single policy service. 

BACKGROUND OF THE INVENTION 

Data communication networks are becoming more and more 
intelligent- One service increasing the intelligence of 
networks is user authentication. User authentication answers 
the question of whether a user may communicate In the network. 
Whereas legacy networks provided users unrestricted access the 
network, more recent vintage networks permit a user to 
communicate only after verifying the user's identity, and even 
then may allow the user to communicate only with a subset of 
network devices. 

Another service raising the intelligence of networks is 
quality of service (QoS) provisioning. QoS provisioning 
addresses the question of how well a user may communicate in the 
network. Whereas legacy networks provided first-in-time 
delivery of' packets, more recent vintage networks depart from 
first-in-time packet ordering and provide different QoS for 
different data flows. 

QoS applies policy rules, to the flows seen on the network. 
A policy rule generally includes a flow condition component and 
a QoS action component, and answers the question of what action 
should be applied to a flow meeting a particular condition. For 
example, a simple policy rule may take the form "treat traffic 
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in group 2 at priority level 3/' in which case the flow 
condition is ''group 2" and nhe QoS action is ''priority level 3." 

While user authentication . and QoS provisioning services 
have created more intelligent networks, they have not been 
tightly integrated. Typically, the QoS provisioning task has 
only been initiated after the user authentication task has been 
successfully completed. Duplication of effort and unnecessary 
delay have therefore resulted from such serialized policy 
provisioning . 

SUMMARY OF THE INVENTION 

The present invention comprises an integrated policy 
implementation service for a communication . network where user 
authentication is • integrated with QoS provisioning. 

In one aspect of the invention, a data communication 
switch supports the integrated policy implementation service 
via a single integrated policy server. The switch includes a 
first network interface that transmits to an end device a 
request for user and device information, and receives from the 
end device the requested user and device information. The user 
information may include a user identifier and password. The 
device information may include Layer 2 and/or Layer 3 
information such as, for example, MAC addresses, Internet 
Protocol (IP) addresses, and virtual LAN (vlan) identifiers. 

The data communication . switch includes a management 
interface that transmits the received user and device 
information to the policy server and receives . user 
authentication and quality of service inf ormat ion . in a single 
control flow between the management interface and the policy 
server. The authentication . inf ormat ion may include ACK/NACK 
indicators and/or lists of authorized ports or devices. The QoS 
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information may include priority and maximuni bandwidth 
information . 

The data communication switch also includes a first 
driver, such as; for example, a port driver, that transitions 
a network resource from an unauthent icated to on authenticated 
state in response to the user authentication information. In 
addition, a second driver, such as, for example, a QoS driver, 
implements a quality of service on the switch for data flows 
received from the data communication switch in response to the 
quality of service information. 

In another aspect of the invention, the data communication 
switch supports the integrated policy implementation service via 
two independent policy servers. The switch includes a 
management interface that transmits the received user 
information to a first policy server in a first control flow and 
receives user authentication information from the first policy 
server in the first control flow. The management interface 
further transmits the received device .information ..to a second 
policy server in a second control flow and receives quality of 
service information from the second policy server in the second 
control flow. The first and second control flows preferably 
occur in parallel. Such parallel execution of user 

authentication and QoS provisioning helps reduce the delays 
associated with serialized policy provisioning existing in the 
prior art. 

DETAILED DESCRIPTION OF THE SPECI FIC EMBODIMENTS 

FIG. 1 is a schematic diagram of a communication network 
supporting an integrated policy implementation .service. The 
network includes a data communication, switch 10 coupled to 
policy servers 12, 14 and devices .16a, 16b, 16c. The data 
communication switch 10 is coupled to data communication switch 
18 across a backbone network 20 via one or more core switches 
(not shown) operative in the backbone network. Data 
communication switch 18 is also coupled to a policy server 22 
and devices 24a, 24b, 24c. 

The devices. .16, 24 are preferably network end-stations, 
such as, for example, personal computers, workstations, or 
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servers, having respective network interfaces for packetized 
communication with other devices via the data communication 
switches 10, 18. The data communication switches 10, IB are 
preferably gateway devices such as, for example, hubs, bridges, 
or routers, having a plurality of respective network interfaces 
for forwarding packetized communications originated by the 
devices 16, 24. The policy servers 12, 14, 22 preferably 
provide authentication and QoS provisioning services to the data 
communication switches 10, 18. The devices 16, 24, data 
communication switches 10, 18, and policy servers 12, 14 ^ 22 may 
be interconnected via cables or other transmission media, and 
may support various data . communication protocols, such as, for 
example, Ethernet, Internet Protocol, and Asynchronous Transfer 
Mode (ATM) . 

Integrated policy implementation service is discussed in 
general terms with respect to the data communication switch 10 
and policy servers 12, 14. The data communication switch 10 
preferably transmits requests for user and device information 
to the devices 16 connected to the network. The devices 16 
preferably respond by transmitting responses including the user 
and device information to the switch 10. The switch 10 
preferably transmits the received user and device information 
to the policy servers 12, 14 for user authentication and QoS 
provisioning. The policy servers .12, 14 preferably respond by 
transmitting authentication information and QoS information to 
the switch 10. The switch 10 preferably uses the authentication 
information to determine whether to enable a network interface 
used by the user to communicate with the network. To the extent 
a determination is made to enable the network interface, the 
switch preferably uses the received QoS information . to establish 
a QoS on the switch. The QoS is then applied to the traffic 
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received from the device used by the user to communicate with 
the network. 

According to one embodiment of the invention/ the 
integrated policy implementation service configuration 
preferably includes two independent policy servers as. is 
illustrated by data communication switch 10 and policy servers 
12, 14. FIG. 2 is a more detailed schematic diagram of the data 
communication switch 10 supporting an integrated policy 
implementation service via the two policy servers 12, 14 (also 
referred to as authentication and QoS servers) . The data 
communication switch 10 includes network interfaces 30, 31, 32, 
34 and a management interface 36 linked by a data ..bus 38. The 
network interfaces 30,. 31, 32, 34 interconnect the devices 16, 
switches in the backbone network 20, and policy servers 12, 14 
over different interfaces. 

The management interface 36 and network . interfaces 30, 31, 
32, 34 are coupled to . the data bus 38 for transmitting and 
receiving data traffic. The management interface 36 and network 
interfaces 30, 31, 32, 34 are also coupled to a management bus 
46 for transmitting and receiving management information 
preferably including authentication and QoS information. 

The management interface 36 supports various modules, 
including an integrated policy manager 40, port driver 42, and 
QoS driver 44. The integrated policy manager 40, port driver 
42, and QoS driver 44 are preferably software modules. 
Alternatively, implementation of the system may be accomplished 
in a combination of hardware, firmware (e.g. application 
specific integrated circuits or other customized circuits), 
and/or software, or by any method known in the art. 

According to one embodiment of the invention, the data 
communication switch 10 supports integrated policy 
implementation in the following manner. The integrated policy 
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manager 40 transmits user and device information requests. via 
the management bus 46 to the devices 16. 

The devices 16 respond by transmitting the user and device 
information via the data bus 38. The.. user information 
preferably includes user identification information, such 'as, 
for example, a user ID, and user signature information , such as, 
for example, a password. The device information preferably 
includes Layer 2 and/or Layer 3 information, such as, for 
example, MAC addresses, IP addresses, VLAN identifiers, and the 
like. It should be understood, however, that one or more of 
such device information (e.g. the MAC address) may already be 
known to the data communication switch 10 via source' learning. 
In this scenario, the known device address may not need to be 
expressly transmitted to the data communication switch. 

The user and device information packets are captured off 
the data bus 38 by the management interface 36 and forwarded to 
the integrated policy manager 40. The integrated policy manager 
40 proceeds to determine whether a particular user is authorized 
to communicate in the network and identify the QoS designed for 
the user device. In this regard, the integrated policy manager 
40, in a first control flow, transmits the received user 
information to one of the policy servers, namely, the 
authentication server 12, and receives a corresponding 
authentication information from the authentication server , The 
authentication information preferably includes ACK/NACK 
indicators, list of authorized ports, and/or other 
authenticating information. Although FIG. 2 illustrates a 
single authentication server, a network operating in accordance 
with the present invention may include, one or more 
authentication servers- 

In a second control flow, the integrated policy manager 40 
transmits the received device information to the second policy 



server, namely, the QoS serv,er 14, and receives the QoS 
information for the device from the QoS server. The QoS 
information preferably includes priority levels, maximum 
bandwidth information, and the like. 

The first. and second control flows preferably occur in 
parallel. Such parallel execution of user authentication and QoS 
provisioning helps reduce the delays associated with serialized 
policy provisioning. 

FIG. 3 is an exemplary schematic layout diagram of a user 
authentication table 50 stored in the authentication server 12. 
The authentication table 50 may be created and organized using 
tools such as, for example, NetWare®, which is commercially 
available from Novell, Inc. In one exemplary embodiment, the 
authentication, table. 50 .suitably comprises a set of user 
authenticating information that may be arranged in a variety of 
ways, but is most advantageously configured as sequential 
entries, with each entry specific to a particular user to be 
authorized. A particular entry of the table 50 may include a 
unique user identifier 52, such as, for example, an 
identification number, character, or combination of numbers and 
characters.. A particular entry may further include a . user 
signature, such as, for example, a user .password 54, for 
verifying the user seeking access to the network. In addition 
to the above, a particular entry may include time restriction 
information 56 as. well as authorized resource information 58 for 
the particular ^ser. The time restriction information 
preferably defines times . during which the particular user is 
authorized to use the network resources, such as, for example, 
the day. of the. week, time of the day, and length of permitted 
access. The list of authorized network resources is preferably 
a list of authorized network interfaces and/or devices. 
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The authentication, server. 12 preferably utilizes-, the 
authentication table 50 to authorize a user in the . manner 
described in U.S. Patent No. 6^070,243, the contents of which 
are her^^by incorporated by reference. The protocol used, for 
user authentication may include RADIUS, LDAP (Lightweight 
Directory Access Protocol}, COPS (Common Open Policy Service), 
or any other authentication protocol known in the art, either 
alone or in combination. 

In general terms, however, upon receipt of the user 
information from . the data communication switch 10, the 
authentication server 12 preferably compares the received 
information with the user identification . and signature 
information stored in the server .12. The authentication server 
12 may further determine whether any time restrictions 
associated with the user identification., information are 
applicable. If the authentication server 12 verifies that the 
user Is an authorized user of the network resources, and that 
the user is authorized to use the network resources at. the time 
of the log-in attempt, the server preferably transmits to the 
data communication switch 10 an ACK indicator and/or the list 
of network resources for which the user is authorized. The 
authentication server 12 may also transmit, .along with the list 
of resources, any time restrictions applicable to the usage. 
The integrated policy manager 40 may then invoke the port driver 
42 to establish network connectivity rules on . the network 
interface 32 .used by the user to communicate with the network. 
Specif j rally, the port driver preferably enables the authorized 
network resources by transitioning them from an unaut hent ica ted 
state .to an authenticated state. The integrated policy manager 
40 may also perform time restriction processing based on the 
time restriction information 56. 
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FIG. 4 is an exemplary schematic layout diagram of a QoS 
table 60 stored in the QoS server 14. The QoS table 60 
preferably comprises a set of flow conditions 62 and QoS actions 
64 matching each of the flow conditions. The flow conditions 
62 may include ^5AC addresses, IP addresses, VLAN identifiers, 
slot/port identifiers, IP protocols, interface types, and the 
liXe. The QoS actions 64 specify at least a priority level 
indicative of a priority given to traffic meeting, the flow 
condition. The QoS actions 64 may further indicate a maximum 
bandwidth, minimum bandwidth, peak bandwidth, priority, latency, 
jitter, maximum queue , depth, maximum queue buffers, and the 
like. 

In identifying an applicable QoS for the traffic received 
from the device, the integrated policy manager 4 0 preferably 
uses LDAP or COPS to transmit a QoS request with the device 
information to the QoS server 14 . Upon receipt of the device 
information, the QoS server 14 identifies a flow condition and 
returns the corresponding QoS action to the data . communication 
switch 10. The QoS action packets are captured off the data bus 
38 by the management interface 36 and forwarded to the 
integrated policy manager 40. The integrated policy manager 40 
then notifies the QoS driver 44 to Implement the QoS action on 
the switch. According to one embodiment of the invention, the 
data conitnunication switch 10 may store the. flow condition and 
the received QoS action in a cache . for future use, as is 
disclosed in the application entitled *'ON-SWITCH POLICY RULE 
CACHING FOR DATA COMMUNICATION SWITCH," filed on September. 13, 
2000, the contents . of which are hereby incorporated by 
re f erence . 

FIG. b is an exemplary flow diagram of an integrated 
policy implementation service supported by the switch 10 via the 
two policy servers 12, 14. In step 70, the management interface 
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36 preferably transniits a user and device information request 
to the devices 16. In step 72, the management interface 36 
receives the requested user .and device information from .the 
devices 16. In a first control flow indicated by steps 74 and 
76, the integrated policy manager 40 transmits a user 
authentication request with the user • information to the 
authentication server 12 and receives back the user 
authentication information indicating whether the user has been 
authenticated. 

In a second control flow indicated by steps 78 and 80, the 
integrated policy manager 40 transmits a QoS request. with the 
device information to QoS server 14 and receives back the QoS 
information for the traffic originating from the device. The 
first. and second control flows preferably over in parallel. 

In step 82, an inquiry is made as Xo whether the user 
authentication was successful. If the authentication was 
successful, the integrated policy manager 40 preferably invokes 
the port driver 42 and the QoS driver 44 to enable the 
appropriate network interface and implement the identified QoS 
on the data communication switch 10. 

According to an alternative- embodiment of the invention, 
the integrated policy implementation service configuration 
includes a single . integrated policy server, as is illustrated 
by data communication switch .18 and policy server. 22. .FIG. 6 
is a more detailed .schematic diagram of the data communication 
switch 18 supporting an integrated policy implementation service 
via the single policy server 22 (also, referred to as an 
integrated policy . server ) . The data communication switch 18 
includes network interfaces 90, 92, 94, 96 and management 
interface 98 linked by data bus 100. The network interfaces 90, 
92, 94, 96 interconnect . the devices 24, switches in the backbone 
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network 20, and integrated poiicy server 22 over different 
interfaces. 

The management interface 98 and network interfaces .90, 92, 
94, 96 are coupled to the data bus 100 for transmitting and 
receiving data traffic. The management interface 98 and network 
interface's . 90/ 92, 9A , 96 are also coupled to a management bus 
102 for transmitting and receiving management information 
including authentication and QoS information. 

The management interface .98 supports various modules, 
including an integrated policy manager . 104, port driver 106, and 
QoS driver 108. The policy manager 104, port driver. 106, and 
QoS driver .108 are preferably software modules. Alternatively, 
implementation of the system . may be accomplished in a 
combination of hardware, firmware (e.g. application specific 
integrated circuits or other custom! zed .. circuits) / and/or 
software, or by any method known in the art. 

According to one embodiment, of the Invention, the data 
communication switch 18 supports integrated policy 
implementation in the following manner. The integrated policy 
preferably manager 104 transmits user and device information 
requests via the management bus. 102 to the devices .24, 

The devices 24 respond by transmitting the user and device 
information via the data bus 100. The user information 
preferably includes user identification information, such as, 
for exampie, a user ID, and user signature. information, such as, 
for exampie, a password. The device information preferably 
includes ..Layer 2 and/or Layer 3 information, such as, for 
example, MAC addresses, TP addresses, virtual LAN identifiers, 
and the like. It should be understood, however, that one or 
more of such device information (e.g. the MAC address) may 
already be known to the data communication switch 18 via source 
learning. In this scenario, the known device address may not 
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need to be expressly transmitted to the data cominunication 
switch . 

The user and device information packets are captured off 
the data bus 100 by the management interface ,98 and forwarded 
to the integrated policy manager . 104 . The integrated policy 
manager 104 proceeds to determine whether a particular user is 
authorized to communicate in the network and identify the QoS 
designed for the user device. In this regard, the integrated 
policy manager 104, preferably in a single control flow, 
transmits to the integrated policy server .22 . the received user 
and device information, and receives . from the integrated policy 
server 22 a corresponding authentication and QoS information. 
The authentication information preferably includes ACK/NACK 
indicators, list of authorized parts, and/or other 
authenticating information- The QoS information preferably 
includes priority levels, .maximum bandwidth information, and the 
like. 

FIG. 7 is an exemplary schematic . layout diagram of a user 
authentication table 110 stored in the integrated policy server 
22. The authentication table 50 may be created and organized 
using tools such as, for . example, NetWare®, which is 
commercially available from Novell, Inc. In one exemplary 
embodiment, the authentication table 110 suitably comprises a 
set of user authenticating information that may be arranged in 
a variety of ways, but is most advantageously configured as 
sequential . entries, with each entry speci f ic . to . a particular 
user to be authorized. A particular entry of the table 110 
includes a unique user identifier 112, such as, for example, an 
identification number, character, or combination of numbers and 
characters. A particular entry further includes a user 
signature/ such as, for example, a user password 114, for 
verifying the user seeking access to the network. In addition 
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to the above^ a particular entry includes time restriction 
information 116 as well as authorized resource information IIB 
for the particular user. The . time restriction information 
preferably defines times during which the particular user is 
authorized to use the network resources, such as, for example, 
the day of the week, time of the day, and length of permitted 
access. The list of authorized network resources is preferably 
a list of authorized network interfaces and/or devices. 

FIG, 8 is an exemplary schematic layout diagram of a QoS 
table 120 also stored in the integrated policy server 22. The 
QoS table 120 preferably comprises a set of flow conditions 122 
and QoS actions 124 matching each of the flow conditions. The 
flow conditions .122 preferably include MAC addresses, IP 
addresses, VLAN identifiers, slot/port identifiers, IP 
protocols, interface types, and the like. The QoS actions 124 
specify at least a priority level indicative of a priority given 
to traffic meeting the flow condition. The QoS actions 124 may 
further indicate a maximum bandwidth, minimum bandwidth, peak 
bandwidth, priority, latency, jitter, maximum queue depth, 
maximuiTj queue buffers, and the like. 

According to one. embodiment of the invention, the 
authentication and QoS tables 110, 120 are stored in one or more 
databases hosted by the integrated policy server 22. The 
database (s) preferably reside in one or more mass storage 
devices, such as, for example, hard disk drives, or drive 
arrays . 

The integrated policy server 22 preferably utilizes the 
authentication table 110 to authorize a user in the manner 
described in U.S. Patent No, 6, 070, 24 3, .the contents of which 
are hereby incorporated by reference. The protocol used for 
user . authentication may include RADIUS, LDAP (Lightweight 
Directory Access Protocol), COPS, or any other authentication 
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protocol known in the art, either alone or in combination. The 
integrated policy server 22 further uses the QoS table 120 to 
identify the appropriate QoS based on the device information. 
The protocol used to transmit a QoS request is preferably LDAP 
or COPS. 

In general .terms/ upon receipt of the user and device 
information, from the data communication switch 18, the 
integrated policy manager 104 proceeds to obtain the 
authentication and QoS information preferably in a single 
control flow between the data communication switch and the 
integrated policy server 22. In this regard, the integrated 
policy server preferably compares the received user 
identification and signature information with. the information 
stored in the authentication table 110. If the user is 
verified, the integrated policy server 22 also determines 
whether any time restrictions associated with the user 
identification information are applicable. 

The integrated policy server 22 further proceeds to 
identify an applicable QoS based on the received device 
information. In this regard, the integrated policy server 22 
interrogates the QoS table 120 to identify a flow condition and 
returns the corresponding QoS action. 

The integrated policy server 22 then transmits the user 
authentication and QoS information to the data communication 
switch 18. If the integrated policy server 22 verifies that the 
user .is an authorized user of the network resources, and that 
the user , is authorized to use the network resources . at the time 
of the log-in attempt, the server, transmits to the data 
communication switch 22 an ACK indicator, and/or the list of 
network resources for which the user is authorized. The 
integrated policy server 22 may also transmit, along with the 
list of resources, any time restrictions applicable to the 
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usage. The integrated policy server 22 also transmits to the 
data . communication switch 18 the identified OoS action including 
priority level, maximum bandwidth, and the like. 

The authentication and QoS action packets are captured off 
the data bus 100 by the management interface 98 and . forwarded 
to the integrated policy manager 104. The integrated policy 
manager 104 then invokes the port driver 106 to establish 
network connectivity rules on the network interface 94 used by 
the user to communicate with the network. Specifically, the 
port driver enables the authorized network resources by 
transitioning them from an unauthenticated state to an 
authenticated state. 

The integrated policy manager also , invokes the QoS driver 
108 to Implement the QoS action on the switch. According to one 
embodiment of the invention, the data communication switch 18 
may store the flow condition and the received QoS action, in the 
cache, for future use, as is disclosed in . the application 
entitled "ON-SWITCH POLICY RULE CACHING FOR DATA COMMUNICATION 
SWITCH," filed on September 13, 2000/ the contents of which are 
hereby incorporated by reference. 

FIG. 9 is an exemplary flow diagram of . an . integrated 
policy implementation. service supported by the switch 18 via the 
single integrated policy server 22. In step 130, the management 
interface 98 transmits a user and device information request ..to 
the devices 24. In step 132, the management interface .98 
receives .the requested user ..and device information from the 
devices .24. In step 134, the integrated policy manager 104 
transmits the user and device information to the integrated 
policy server 22 in a request for user authentication and QoS 
provisioning. In step 136, the . integrated policy manager 104 
receives the user authentication information and QoS information 
if the user has been authenticated. In step 138, an inquiry is 



-35- 



made as to whether the user authentication .was successful. If 
the authentication was . successful , the integrated policy manager 
104 invokes the port driver 106 and QoS driver 108 to enable . the 
appropriate network interface and implement the identified QoS 
on the data communication switch 18. 

According to one embodiment of the invention, the switches 
10, 18 may be arranged to be operative in independent (two 
policy servers) and integrated (one policy server) modes. The 
type of mode selected is preferably automatically determined 
based on the current service configuration. 

Although this invention has been described in certain 
specif ic ..embodiments, those skilled in the art will have no 
difficulty devising variations which in no way depart from the 
scope and spirit of the present invention. It is therefore to 
be understood that this invent ion . may be practiced ..otherwise 
than is specifically described. Thus,. the present embodiments 
of the invention .."should be considered in all respects as 
illustrative and not restrictive, the scope of the invention to 
be indicated by the appended ..claims and their equivalents rather 
than the foregoing description. 
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4. Brief Description of Drawings 

FIG. 1 is a schematic diagram of a communication network 
supporting an integrated policy implementation service. 

FIG. 2 is a more detailed schematic diagram of a data 
communication switch supporting an integrated policy 
implementation service via two policy servers, 

FIG. 3 is an exemplary schematic layout diagram of a user 
authentication table stored in. one of the policy servers of FIG. 
2. 

FIG. 4 is an exemplary schematic layout diagram of a QoS 
table stored in the other policy server of FIG, 2. 

FIG. 5 is an exemplary flow diagram of an integrated 
policy implementation service via the two policy servers of FIG. 
2, 

FIf=. f» is a more detailed schematic diagram of a data 
communication switch supporting an integrated policy 
implementation service via a single integrated policy server • 

FIG. 7 is an exemplary schematic layout diagram of a user 
authentication table stored in the . integrated policy server of 
FIG. 6. 

FIG. 8 is an exemplary schematic layout diagram. of a QoS 
table stored in the integrated policy server of FIG. 6. 

FIG, 9 is an exemplary flow diagram of an integrated 
policy implementation service via the integrated policy server 
of FIG. 6. 
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Fig. 3 
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Fig. 4 
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Fig. 5 



FIG. 5 
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Fig. 7 
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Fig. 8 
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Fig. 9 

FIG. 9 
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1 . Aba tract 

An integrated . policy implementation service for a 
communication network where user authentication is integrated 
with QoS provisioning. The. service includes an data 
communication switch connected to one or more policy servers. 
The switch, transmits requests for user and device . information 
to the end devices connected to the network. The devices 
respond by transmitting responses including the. user and device 
information to the switch. The switch transmits the user and 
device information to the one or. more policy servers for user 
authentication and QoS provisioning. The one or more policy 
servers respond by transmitting authentication information and 
QoS information to the switch. The switch uses the 

authentication information to determine whether to enable a 
network interface used by the user to . communicate with the 
network. To the extent a determination is made to enable the 
network interface, the switch uses the received QoS information 
to establish a QoS on the switch. The QoS is then applied to 
the traffic received from the device used by the user to 
communicate with the network. 

2. Representative Drawing 
F i g. 1 
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